Even as the Ministry of Electronics and Information Technology prepares a formal note on the Data Protection Bill, 2021 (“Bill”) for the Union Cabinet to consider before it is to be placed in Parliament, the Bill has generated lively debate and discussion amongst industry stakeholders. In this blogpost, I will throw light on some of its problematic provisions, as also on how this Bill compares in some relevant respects with the currently existing framework on privacy as contained in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”) which it would replace, once enacted. While it is true that the coming framework under the Bill brings in new norms that do not exist within the current framework under the SPDI Rules, in this blogpost, I will explore the areas where the Bill also leaves undesirable gaps that do not exist under the SPDI Rules.
While there is much to be said about the Bill generally, the areas covered in this blogpost are limited to a few stand-out issues directly impacting those processing data, or ‘data fiduciaries’, as referred to in the Bill. These are: (1) consent requirements; (2) data transfer requirements; and (3) the inclusion of non-personal data in the Bill.
Consent is arguably the touchstone upon which the data protection legislation is meant to be based, going by the strong reiteration of the fundamental right to privacy by the 9-judge bench in the Puttaswamy case. Notably, while the Bill has strong formulations of both ‘consent’ as well as ‘explicit consent’, requiring them to be free, informed, specific, clear and capable of being withdrawn, there is, notably, no reference to the need for such consent to be in writing, as required under the SPDI Rules. Further, while the Joint Parliamentary Committee, in the Report accompanying the Bill, noted the importance of getting fresh consent from a minor on whose behalf a guardian may have consented once the minor attains the age of majority, there are no provisions in the Bill to this effect. Of course, these requirements may be included in the final version of the Bill tabled in Parliament.
One of the issues most relevant to industry functioning is that of data localization and the conditions for data transfer. Now, while the Bill requires partial data localization and sets out conditions under which sensitive personal data may be transferred outside India, it is not explicitly clear on the question of transfer of personal data or sensitive personal data to entities located within India. As a consequence, it is possible that the norms (specifically, those of ‘notice and consent’) will have to be read in through the general scheme of the Bill for such domestic transfers.
Further, unlike the SPDI Rules, which make a distinction between ‘transfer’ and ‘disclosure’, the Bill does not do so; it does not contain any provisions regarding disclosure generally, and hence, there is no parallel to the bar contained in the SPDI Rules against further disclosure of sensitive personal data to third parties, by an entity to whom such personal data is first disclosed. This may have important implications in the level of protection the Bill is able to provide to the individual’s right of privacy.
In the Bill, it is only in the specific case of cross-border ‘transfer’ to a white-listed entity/country, that there is a reference against further ‘sharing’ to any foreign government or agency. However, this reference is with regard to a prior evaluation for whitelisting to be conducted by the Central Government, and does not involve the data principal directly. Further, no consent/ approval is required to be sought from the data principal under this provision, before further transfer is sanctioned by the Central Government, if at all.
The last issue for this post, but really the first substantive issue in the latest version of the Bill, is that of the inclusion of ‘non-personal data’ (“NPD”) in the Bill, as opposed to it governing only personal data as was done in every previous iteration of the Bill, starting with the Whitepaper released in 2017 soon after the landmark Puttaswamy decision affirming the fundamental right to privacy.
Interestingly, the Bill does not contain any substantive norms in relation to how NPD is to be governed. Instead, powers in relation to this have been delegated to the Data Protection Authority (for example, to specify how ‘breaches’ of NPD must be handled) or to the Central Government (to frame policy for the handling of NPD generally). Such carte-blanche delegation of legislative powers is impermissible under the Constitutional scheme in India; if Parliament intends to include a framework for regulation of NPD within the DP Bill, then the substantive norms regarding the same must be included within the Bill itself. At the very least, a framework for the exercise of powers by the Data Protection Authority or the Executive in relation to NPD must be specified within the Bill, as has been done in relation to other issues (for example, the power of the Data Protection Authority to notify ‘significant data fiduciaries’ has been bounded by the consideration of factors laid out in the Bill itself).
The Bill, in its silence on substantive norms around NPD governance, does not expressly mandate data sharing by private entities, as the Reports by an erstwhile Expert Committee on Non-Personal Data had done. However, it provides a broad-enough scope for the same to be mandated through Rules and Regulations made in future under the aegis of the Central Government. Such mandatory sharing/ disclosure of private data would violate Intellectual Property Treaty obligations that India has committed to. Given that NPD is an important component of the core business model of most companies, allowing scope for such substantive norms on NPD to be formulated subsequently thought delegated legislation is not only excessive, but is guaranteed to create an era of policy uncertainty in the industry, which will be antithetical to the growth of business in India.
In light of the issues highlighted in this post along with several other factors discussed elsewhere, it would be desirable to bring further clarity into some of the substantive provisions of the legislation, before it is finally enacted into law.
Follow LexTalk World for more news and updates from International Legal Industry.